Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.

Log message:
Update security/vault to 0.9.3.
## 0.9.3 (January 28th, 2018)
A regression from a feature merge disabled the Nomad secrets backend in 0.9.2.
This release re-enables the Nomad secrets backend; it is otherwise identical to
0.9.2.
## 0.9.2 (January 26th, 2018)
SECURITY:
* Okta Auth Backend: While the Okta auth backend was successfully verifying
usernames and passwords, it was not checking the returned state of the
account, so accounts that had been marked locked out could still be used to
log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
the AppRole, AWS, and Cert auth backends would expire when the max TTL for
the backend/mount/system was hit instead of their stated behavior of living
as long as they are renewed. This is now fixed; existing tokens do not have
to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
seal wrapping may not be wrapped on the secondaries. This has been fixed,
and existing values will be wrapped on next read or write. This does not
affect the barrier keys.
DEPRECATIONS/CHANGES:
* `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool
returned by `sys/health` could be misleading since it would be `false` both
when a cluster was not a DR secondary but also when the node is a standby in
the cluster and has not yet fully received state from the active node. This
could cause health checks on LBs to decide that the node was acceptable for
traffic even though DR secondaries cannot handle normal Vault traffic. (In
other words, the bool could only convey "yes" or "no" but \
not "not sure
yet".) This has been replaced by `replication_dr_mode` and
`replication_perf_mode` which are string values that convey the current
state of the node; a value of `disabled` indicates that replication is
disabled or the state is still being discovered. As a result, an LB check
can positively verify that the node is both not `disabled` and is not a DR
secondary, and avoid sending traffic to it if either is true.
* PKI Secret Backend Roles parameter types: For `ou` and `organization`
in role definitions in the PKI secret backend, input can now be a
comma-separated string or an array of strings. Reading a role will
now return arrays for these parameters.
* Plugin API Changes: The plugin API has been updated to utilize golang's
context.Context package. Many function signatures now accept a context
object as the first parameter. Existing plugins will need to pull in the
latest Vault code and update their function signatures to begin using
context and the new gRPC transport.
FEATURES:
* **gRPC Backend Plugins**: Backend plugins now use gRPC for transport,
allowing them to be written in other languages.
* **Brand New CLI**: Vault has a brand new CLI interface that is significantly
streamlined, supports autocomplete, and is almost entirely backwards
compatible.
* **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends,
create and browse roles and certificates, and issue and sign certificates via
the listed roles.
IMPROVEMENTS:
* auth/aws: Handle IAM headers produced by clients that formulate numbers as
ints rather than strings [GH-3763]
* auth/okta: Support JSON lists when specifying groups and policies [GH-3801]
* autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues,
including HA scenarios for some Gemalto HSMs.
(Enterprise)
* cli: Output password prompts to stderr to make it easier to pipe an output
token to another command [GH-3782]
* core: Report replication status in `sys/health` [GH-3810]
* physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730]
* physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730]
* plugins: Args for plugins can now be specified separately from the command,
allowing the same output format and input format for plugin information
[GH-3778]
* secret/pki: `ou` and `organization` can now be specified as a
comma-separated string or an array of strings [GH-3804]
* plugins: Plugins will fall back to using netrpc as the communication protocol
on older versions of Vault [GH-3833]
BUG FIXES:
* auth/(approle,aws,cert): Fix behavior where periodic tokens generated by
these backends could not have their TTL renewed beyond the system/mount max
TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached
[GH-2030]

Log message:
Update security/vault to 0.9.1.
DEPRECATIONS/CHANGES:
- AppRole Case Sensitivity: In prior versions of Vault, `list` operations
against AppRole roles would require preserving case in the role name, even
though most other operations within AppRole are case-insensitive with
respect to the role name. This has been fixed; existing roles will behave as
they have in the past, but new roles will act case-insensitively in these
cases.
- Token Auth Backend Roles parameter types: For `allowed_policies` and
`disallowed_policies` in role definitions in the token auth backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.
- Transit key exporting: You can now mark a key in the `transit` backend as
`exportable` at any time, rather than just at creation time; however, once
this value is set, it still cannot be unset.
- PKI Secret Backend Roles parameter types: For `allowed_domains` and
`key_usage` in role definitions in the PKI secret backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.
- SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic
key method in the SSH backend, the default is now to use 2048-bit keys if no
specific key bit size is specified.
- Consul Secret Backend lease handling: The `consul` secret backend can now
accept both strings and integer numbers of seconds for its lease value. The
value returned on a role read will be an integer number of seconds instead
of a human-friendly string.
- Unprintable characters not allowed in API paths: Unprintable characters are
no longer allowed in names in the API (paths and path parameters), with an
extra restriction on whitespace characters. Allowed characters are those
that are considered printable by Unicode plus spaces.
FEATURES:
- Transit Backup/Restore: The `transit` backend now supports a backup
operation that can export a given key, including all key versions and
configuration, as well as a restore operation allowing import into another
Vault.
- gRPC Database Plugins: Database plugins now use gRPC for transport,
allowing them to be written in other languages.
- Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked
using Vault.
- TLS Cert Auth Backend Improvements: The `cert` auth backend can now
match against custom certificate extensions via exact or glob matching, and
additionally supports max_ttl and periodic token toggles.
IMPROVEMENTS:
- auth/cert: Support custom certificate constraints
- auth/cert: Support setting `max_ttl` and `period`
- audit/file: Setting a file mode of `0000` will now disable Vault from
automatically `chmod`ing the log file
- auth/github: The legacy MFA system can now be used with the GitHub auth
backend
- auth/okta: The legacy MFA system can now be used with the Okta auth backend
- auth/token: `allowed_policies` and `disallowed_policies` can now be specified
as a comma-separated string or an array of strings
- command/server: The log level can now be specified with `VAULT_LOG_LEVEL`
- core: Period values from auth backends will now be checked and applied to the
TTL value directly by core on login and renewal requests
- database/mongodb: Add optional `write_concern` parameter, which can be set
during database configuration. This establishes a session-wide write
concern for the lifecycle of the mount
- http: Request path containing non-printable characters will return 400 - Bad
Request
- mfa/okta: Filter a given email address as a login filter, allowing operation
when login email and account email are different
- plugins: Make Vault more resilient when unsealing when plugins are
unavailable
- secret/pki: `allowed_domains` and `key_usage` can now be specified
as a comma-separated string or an array of strings
- secret/ssh: Allow 4096-bit keys to be used in dynamic key method
- secret/consul: The Consul secret backend now uses the value of `lease` set
on the role, if set, when renewing a secret.
- storage/mysql: Don't attempt database creation if it exists, which can help
under certain permissions constraints
BUG FIXES:
- api/status (enterprise): Fix status reporting when using an auto seal
- auth/approle: Fix case-sensitive/insensitive comparison issue
- auth/cert: Return `allowed_names` on role read
- auth/ldap: Fix incorrect control information being sent
- core: Fix seal status reporting when using an autoseal
- core: Add creation path to wrap info for a control group token
- core: Fix potential panic that could occur using plugins when a node
transitioned from active to standby
- core: Fix memory ballooning when a connection would connect to the cluster
port and then go away -- redux!
- core: Replace recursive token revocation logic with depth-first logic, which
can avoid hitting stack depth limits in extreme cases
- core: When doing a read on configured audited-headers, properly handle case
insensitivity
- core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
- database/mysql: Allow the creation statement to use commands that are not yet
supported by the prepare statement protocol
- plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference`

Log message:
Update security/vault to 0.9.0.
DEPRECATIONS/CHANGES:
- API HTTP client behavior: When calling `NewClient` the API no longer
modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
backend that gets returned along with the authentication response
will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
or update a role with the mutually-exclusive options
`disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
backend, the TTL/max TTL values will now be an integer number of
seconds rather than a string. This better matches the API elsewhere
in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
the API, the response data will additionally return a `key_info` map
that will contain a map of each key with a corresponding object
containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
are still in RFC3339 format but now have a granularity of
nanoseconds.
- High availability related values have been moved out of the
`storage` and `ha_storage` stanzas, and into the top-level
configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
is optional and enables configuration of the seal type to use for
additional data protection, such as using HSM or Cloud KMS solutions
to encrypt and decrypt data.
FEATURES:
- RSA Support for Transit Backend: Transit backend can now generate
RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
enhancements, Identity is an integrated system for understanding
users across tokens and enabling easier management of users directly
and via groups.
- External Groups in Identity: Vault can now automatically assign
users and systems to groups in Identity based on their membership in
external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
take advantage of FIPS 140-2-certified HSMs to ensure that Critical
Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
Sentinel to create extremely flexible access control policies - even
on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
auto-unsealing functionality, the `rekey` operation is now
supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
using Disaster Recovery replication, a token can be created that can
be used to authorize actions such as promotion and updating primary
information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
auto-unsealing, a request to unseal Vault can be triggered by a
threshold of recovery keys, rather than requiring the Vault process to
be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
Enterprise UI. The look and feel has been completely redesigned to
give users a better experience and make managing secrets fast and
easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
backend, create and browse roles. And use them to sign keys or
generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
backend via the Vault Enterprise UI. In addition you can create
roles, browse the roles and Generate IAM Credentials from them
in the UI.
IMPROVEMENTS:
- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
The files themselves were `600` and are all encrypted, but this
doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
or an integer
- secret/transit: Sign and verify operations now support a `none` hash
algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
promoting, and updating primary on DR Secondary clusters
BUG FIXES:
- api: Fix panic when setting a custom HTTP client but with a nil
transport
- api: Fix authing to the `cert` backend when the CA for the client
cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
matching
- physical/etcd3: Fix case where standbys can lose their etcd client
lease
- physical/file: Fix listing when underscores are the first component
of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
this was erroneously removed in a previous release

Log message:
Update security/vault to 0.8.3.
CHANGES:
- Policy input/output standardization: For all built-in authentication
backends, policies can now be specified as a comma-delimited string or an
array if using JSON as API input; on read, policies will be returned as an
array; and the `default` policy will not be forcefully added to policies
saved in configurations. Please note that the `default` policy will continue
to be added to generated tokens, however, rather than backends adding
`default` to the given set of input policies (in some cases, and not in
others), the stored set will reflect the user-specified set.
- `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the
endpoint would not modify the Issuer in the generated certificate, leaving
the output self-issued. Although theoretically valid, in practice crypto
stacks were unhappy validating paths containing such certs. As a result,
`sign-self-issued` now encodes the signing CA's Subject DN into the Issuer
DN of the generated certificate.
- `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely
useful in break-glass or support scenarios, it is also extremely dangerous.
As of now, a configuration file option `raw_storage_endpoint` must be set in
order to enable this API endpoint. Once set, the available functionality has
been enhanced slightly; it now supports listing and decrypting most of
Vault's core data structures, except for the encryption keyring itself.
- `generic` is now `kv`: To better reflect its actual use, the `generic`
backend is now `kv`. Using `generic` will still work for backwards
compatibility.
FEATURES:
- GCE Support for GCP Auth: GCE instances can now authenticate to Vault
using machine credentials.
- Support for Kubernetes Service Account Auth: Kubernetes Service Accounts
can now authenticate to vault using JWT tokens.
IMPROVEMENTS:
- configuration: Provide a config option to store Vault server's process ID
(PID) in a file
- mfa (Enterprise): Add the ability to use identity metadata in username
format
- mfa/okta (Enterprise): Add support for configuring base_url for API calls
- secret/pki: `sign-intermediate` will now allow specifying a `ttl` value
longer than the signing CA certificate's NotAfter value.
- sys/raw: Raw storage access is now disabled by default
BUG FIXES:
- auth/okta: Fix regression that removed the ability to set base_url
- core: Fix panic while loading leases at startup on ARM processors
- secret/pki: Fix `sign-self-issued` encoding the wrong subject public key

Log message:
## 0.8.2 (September 5th, 2017)
SECURITY:
- In prior versions of Vault, if authenticating via AWS IAM and
requesting a periodic token, the period was not properly respected.
This could lead to tokens expiring unexpectedly, or a token lifetime
being longer than expected. Upon token renewal with Vault 0.8.2 the
period will be properly enforced.
DEPRECATIONS/CHANGES:
- `vault ssh` users should supply `-mode` and `-role` to reduce the
number of API calls. A future version of Vault will mark these
optional values are required. Failure to supply `-mode` or `-role`
will result in a warning.
- Vault plugins will first briefly run a restricted version of the
plugin to fetch metadata, and then lazy-load the plugin on first
request to prevent crash/deadlock of Vault during the unseal process.
Plugins will need to be built with the latest changes in order for them
to run properly.
FEATURES:
- Lazy Lease Loading: On startup, Vault will now load leases from
storage in a lazy fashion (token checks and revocation/renewal
requests still force an immediate load). For larger installations this
can significantly reduce downtime when switching active nodes or
bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
backend for authenticating to machines. It also supports remote host
key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
signing self-issued CA certs. This is useful when switching root CAs.
IMPROVEMENTS:
- audit/file: Allow specifying `stdout` as the `file_path` to log to
standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
case-preserving
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
-autocomplete-install`
- cli: Add ability to handle wrapped responses when using `vault auth`.
What is output depends on the other given flags; see the help output
for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
`cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
of the parameter or within the `config` object when mounting a secret
or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
of seconds
- secret/pki: Self-issued certs can now be signed via
`pki/root/sign-self-issued`
- storage/gcp: Use application default credentials if they exist
BUG FIXES:
- auth/aws: Properly use role-set period values for IAM-derived token
renewals
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
case-insensitively
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
address
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
process.
- plugins: Skip mounting plugin-based secret and credential mounts when
setting up mounts if the plugin is no longer present in the catalog.

Log message:
Update security/vault to 0.8.1.
DEPRECATIONS/CHANGES:
- PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already
exists will now return a `204` instead of overwriting an existing root. If
you want to recreate the root, first run a delete operation on `pki/root`
(requires `sudo` capability), then generate it again.
FEATURES:
- Oracle Secret Backend: There is now an external plugin to support leased
credentials for Oracle databases (distributed separately).
- GCP IAM Auth Backend: There is now an authentication backend that allows
using GCP IAM credentials to retrieve Vault tokens. This is available as
both a plugin and built-in to Vault.
- PingID Push Support for Path-Baased MFA (Enterprise): PingID Push can
now be used for MFA with the new path-based MFA introduced in Vault
Enterprise 0.8.
- Permitted DNS Domains Support in PKI: The `pki` backend now supports
specifying permitted DNS domains for CA certificates, allowing you to
narrowly scope the set of domains for which a CA can issue or sign child
certificates.
- Plugin Backend Reload Endpoint: Plugin backends can now be triggered to
reload using the `sys/plugins/reload/backend` endpoint and providing either
the plugin name or the mounts to reload.
- Self-Reloading Plugins: The plugin system will now attempt to reload a
crashed or stopped plugin, once per request.
IMPROVEMENTS:
- auth/approle: Allow array input for policies in addition to comma-delimited
strings
- auth/aws: Allow using root credentials for IAM authentication
- plugins: Send logs through Vault's logger rather than stdout
- secret/pki: Add `pki/root` delete operation
- secret/pki: Don't overwrite an existing root cert/key when calling generate
BUG FIXES:
- aws: Don't prefer a nil HTTP client over an existing one
- core: If there is an error when checking for create/update existence, return
500 instead of 400
- secret/database: Avoid creating usernames that are too long for legacy MySQL

Log message:
Update security/vault to 0.8.0.
SECURITY:
- We've added a note to the docs about the way the GitHub auth backend works
as it may not be readily apparent that GitHub personal access tokens, which
are used by the backend, can be used for unauthorized access if they are
stolen from third party services and access to Vault is public.
DEPRECATIONS/CHANGES:
- Database Plugin Backends: Passwords generated for these backends now
enforce stricter password requirements, as opposed to the previous behavior
of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
is now unauthenticated.
FEATURES:
- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
plugins.
- PROXY Protocol Support Vault listeners can now be configured to honor
PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
now supports lookup and listing of leases and the associated actions from the
'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
blacklists of mounts can be defined per-secondary to control which mounts
are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
replication mode, Disaster Recovery (DR), that performs full real-time
replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
Replication features in Vault Enterprise UI has expanded to include new DR
Replication mode and management of Filtered Mounts in Performance Replication
mode.
- Vault Identity (Enterprise Only): Vault's new Identity system allows
correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
Only): A brand new MFA system built on top of Identity allows MFA
(currently Duo Push, Okta Push, and TOTP) for any authenticated path within
Vault.
IMPROVEMENTS:
- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
hostname
- audit/socket: Enhance reconnection logic and don't require the connection to
be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
var
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
wildcard
- secret/ssh: Allow specifying the key ID format using template values for CA
type
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
client certificate verification when 'tls_require_and_verify_client_cert' is
enabled
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD
BUG FIXES:
- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
silently
- auth/token: Don't allow using the same token ID twice when manually
specifying
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options